The NATS documentation is a bit unclear on how to set up permissions for accounts, I used the following
nsc edit account account_name --deny-pub ">"
but I could still send messages. It is not clear how accounts, users and operators work, please give examples of their use and what is their difference.
In NATS, accounts are used to achieve true multitenancy. That means that no messages in that account are visible in any other account, so there is no need to set any permissions. It's full isolation.
Let's assume the given config:
accounts: {
A: {
users: [
{user: a, password: a}
]
},
B: {
users: [
{user: b, password: b}
]
},
}
If user b, from the account B, subscribes to a subject events.>:
nats --user b --password b sub events.>
and user a, being attached to account A publishes message to subject event.data with payload data:
nats --user a --password a pub events.data data
User B will not get that message, as it's in different account. This is true multitenancy, meaning users can use the same subjects across accounts and there is no clash between them.
Here are some docs around multitenancy: https://docs.nats.io/running-a-nats-service/configuration/securing_nats/accounts#import-export-example